Lesson 3: Using Audit Policies
In this lesson, you will learn how to use audit policies to track authorized access to secure resources and the exercise of user rights. Auditing allows you to determine when valid users are misusing their authority or when hackers have maliciously made use of a valid user account.
Understand the role of auditing in securing a computer
Manage the auditing of user rights
Manage the auditing of file and Active Directory access
Which Security Mechanisms Are Used in Auditing?
There are two entirely different theories of security in the world:
Authorization systems seek to prevent unauthorized users from accessing restricted resources, but these systems do not track the activities of valid users. Authorization systems are similar to lock and key systems that prevent theft in the real world. Authorization is implemented through permissions in Windows 2000.
Accountability systems allow open access to all resources, but they hold users responsible for the way they use resources. Accountability systems are similar to legal restrictions that do not restrict access or behavior but punish perpetrators after the fact. Accountability is implemented through auditing in Windows 2000.
Neither theory works perfectly well by itself. Pure authorization systems cannot ensure that valid users won't cause harm, and pure accountability systems cannot prevent damage to critical resources, they can only allow events to be reconstructed so that the perpetrator can be held accountable. Both systems are used in the real world, and both systems are used in security for the Windows operating system.
How Auditing Works
The Windows operating system has extremely strong support for accountability through its support for auditing. Windows makes it possible for administrators to potentially record every action that a user makes in a system, from logging on or exercising user rights to reading and writing files.
The resulting list of activities is called an audit trail, and it creates a body of evidence that can be used to reconstruct a user's activities should it become necessary. The audit trail can also be used to search for anomalous activities, such as user account logon attempts during off hours or an extraordinary number of logon attempts across multiple accounts in a short period.
Auditing is managed and enforced similarly to permissions and rights in Windows. With the combination of permitted activities and user rights, it is possible to record virtually every activity that every user takes on the system.
For securable objects like files or registry keys, a special type of ACL called a system access control list (SACL) is contained in the object's security descriptor. Rather than specifying permissions for security principals, the ACEs in an SACL specify the activities that should be audited (recorded in the system log). You can audit every type of access that can be permitted. The security reference monitor makes audit log entries after it checks for proper permissions.
Just as normal permissions can permit or deny activities, auditing can record the success or failure of a potential operation. For example, you can choose to audit only successful logon attempts, only failed logon attempts, or both.
In addition to auditing file access, Windows 2000 can audit the exercise of user rights, such as the right to log on locally or interactively, or the right to take ownership of files. If you choose, every exercise of user rights can be recorded.
Identifying Audit Categories
The types of events you can audit are broken down into a number of categories, based on the services that audit events. For example, the security reference monitor is responsible for monitoring object access, while the WinLogon process is responsible for monitoring logon events. The following list describes the various audit categories:
Account logon events allow you to audit network-based access to the computer, such as attempts to connect to shares.
Account management allows you to audit the creation, deletion, and management of user accounts.
Directory services access allows you to audit access to Active Directory. For example, you could audit attempts to manage certain critical user accounts, domains, or security groups. Monitoring numerous Active Directory service access events creates numerous audit log entries and can put domain controllers under some load.
Logon events allow you to audit the success or failure of local user logon attempts.
Object access enables the auditing of files, folders, and printers.
You must enable this policy setting to audit these types of objects. Monitoring object access can put the system under extreme load and create numerous audit log entries. You should enable object access monitoring only for specific folders and files that contain sensitive information.
Policy change allows you to audit changes made to Group Policy Objects (GPOs).
Privilege use allows you to audit the use of user rights, such as taking ownership of files. Monitoring privilege use can put the system under load and will create numerous audit log entries.
Process tracking allows you to audit the execution of processes in the system, as well as their attempts to access memory and objects. Monitoring process tracking will create numerous audit log entries.
System events allow you to audit events that affect the security of the system as a whole, such as starting up or shutting down the system, or clearing the event log.
Managing Auditing
To establish auditing for all of the various categories, you must enable audit policy in a GPO linked to either the local GPO or a domain or OU GPO. For most types of auditing, this is all that is necessary to begin recording audited activities in the security log. Audit policy is contained in the computer portion of the GPO, and it applies to all machines within the Active Directory container to which the audit policy GPO is linked.
For file system or printer access, you must enable auditing of object access and then create a SACL in the audited object's security descriptor. This process is very similar to setting permissions on the object and is handled through the Advanced section of the object's Security tab. To audit Active Directory object access, you must enable directory service access and then enable auditing on the specific objects you want to monitor.
All audit events are recorded in the computer's security log. To view audit information, use Event Viewer to read events in the security log. Figure 4.11 shows a server's security log with various audit log entries.
Figure 4-11. The security log records audited events
Avoiding Auditing Problems
There are downsides to the powerful recording capabilities of auditing:
Auditing can put a significant load on the system, because recording to a log file requires Disk Write access and CPU time. If you enabled auditing for all files on a system, the amount of load caused by auditing would make the machine so slow that it would not be able to operate effectively as a server for multiple users.
Excessive auditing also fills the security log with events that you don't care about, making it harder to find critical events. Enabling auditing on events like process tracking and privilege use can create a tremendous number of audit log entries, making crucial hacking indicators such as numerous failed logon attempts more difficult to see.
Keep your security log clean by auditing only those types of events that actually indicate hacking activity or abuse by employees.
Administering Auditing Activities
You must administer auditing judiciously by enabling the auditing of rare events that are potentially dangerous and which have a high likelihood of indicating abuse, while allowing routine activities and activities with low potential for abuse to go untracked.
Typically, administrators monitor:
Account management operations, such as adding or deleting user accounts and security groups
Group Policy changes
System events, such as starting up or shutting down the system
Network and local logon failure
Read and Write access to specifically identified, extremely sensitive documents.
When you enable auditing for relatively rare events, the audit mechanism will not create a noticeable load on your server.
Practice: Enabling Auditing
In this practice, you enable the auditing of easily abused user rights as well as accesses to the Information Technology folder in the domain.fabrikam.com domain.
Exercise 1: Auditing Log On and Log Off Attempts
In this exercise, you establish audit policy to monitor many user and administrative activities. These specific audit policies will not create a significant load on a server because they are relatively rare activities.
To establish audit policies for users and computers
Open the Active Directory Users And Computers management console.
Right-click domain.fabrikam.com, and choose Properties. Click the Group Policy tab shown in Figure 4.12, and double-click Domain Security Policy.
Figure 4-12. The Group Policy tab
In the Group Policies console, expand Domain Security Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and click Audit Policy to view the various policies. See Figure 4.13.
Figure 4-13. The Group Policies console
Double-click Audit Account Logon Events, select Define These Policy Settings, select Failure, and click OK. The audit log will report account logon events that fail.
Double-click Audit Logon Events, select Define These Policy Settings, select Failure, and click OK. The audit log will report logon events that fail.
Double-click Audit Account Management, select Define These Policy Settings, select Success and Failure, and click OK. The audit log will report the creation of or change to any user account or group.
Double-click Audit Policy Change, select Define These Policy Settings, select Success and Failure, and click OK. The audit log will report any attempts to change the GPO.
Close the GPO, and click OK to close the Properties dialog box.
Exercise 2: Auditing File and Folder Permissions
In this exercise, you establish file and folder auditing for documents contained within a specific folder that stores highly sensitive information. All file activity in this folder will be monitored.
To enable file system object auditing
Open the domain.fabrikam.com Domain Security Policy.
Expand Domain Security Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and click Audit Policy.
Double-click Audit Object Access to open the Security Policy Setting dialog box as shown in Figure 4.14.
Figure 4-14. Defining the policy for object access
Select Define These Policy Settings, select Success and Failure, and click OK. The audit log will report any attempts to access the object.
Close the GPO and any other open windows.
To set audit policy on a specific folder
In Windows Explorer, browse to C:\Departments.
Right-click Finance, and choose Properties.
Click the Security tab, and click Advanced.
Click the Auditing tab, and click Add.
In the Select User, Computer, Or Group dialog box, double-click Everyone to open the Auditing Entry dialog box, as shown in Figure 4.15.
Figure 4-15. Auditing Entry dialog box
Select the Successful and Failed check boxes for
Create Files /Write Data
Create Folders /Append Data
Delete Subfolders And Files
Delete
Change Permissions
Take Ownership
Click OK to finish setting Audit ACEs, click OK to close the Access Control Settings dialog box, and click OK to close the folder Properties dialog box.
Exercise 3: Monitoring the Audit Log
In this exercise, you create an audit trail by creating and deleting a file in the Finance folder. Once the audit trail is created, you can view the audit log.
To create an audit trail
In Windows Explorer, browse to C:\Departments\Finance.
Right-click in the folder, point to New, and choose Text Document.
Type Finance Data.txt as the name of the document.
Double-click Finance Data.txt to open the document.
Type This is sample Data.
Save and close the text document.
Right-click Finance Data.txt, and choose Delete.
Click Yes to confirm that you want to delete the text document.
Close all open folder windows.
To view the audit log
Click Start, point to Programs, point to Administrative Tools, and click Event Viewer.
Click Security Log.
Browse through the security log from the bottom up as shown in Figure 4.16. Find the event marking the creation of the file New Text Document.txt.
Figure 4-16. Viewing the security log
Browse through subsequent object access events.
You will notice a delete event for the New Text Document.txt, which actually indicates that the file has been renamed. Subsequent audit log entries for this file will refer to it as Finance Data.txt.
Browse up through subsequent object access events for the Finance Data.txt file.
You will notice a write data event and a delete event for this file.
Close the Event Viewer.
Lesson Review
Why should you be judicious in your use of auditing rather than audit all possible events?
How would you use auditing to determine if hackers are attempting to run a password list against the administrative account of a computer attached to the Internet?
How would you use auditing to determine if an employee has been changing the reported hours worked in a Microsoft Excel spreadsheet after the accounting department has left at 5:00 P.M.?
How does auditing prevent users from damaging files to which they have access?
Lesson Summary
Windows supplements its authentication-based security by providing support for event auditing, which allows authorized users to be held accountable for their activities in the system.
Windows can audit numerous categories of events, including access to specific files, folders, printers, and Active Directory objects, as well as the use of user rights such as logging on to a system.
Certain types of auditing can create excessive load on the system. To avoid excessive load, you should audit object access only for files and folders that contain sensitive information.
Most computers should be audited, at a minimum, for user account creation and management, failed local and network logon attempts, and changes to group policy. These events should be relatively rare, and they can alert you to hacking activity.